0

I use a DirectorySearcher to get all users from Active Directory - but I need to get only "real" users.

Filter:

search.Filter = "(&(objectClass=user)(objectCategory=person))";

but I get all user accounts, like:

henry.miller            <-wanted
ernest.hemingway        <-wanted
HealthMailboxced7671    <-not wanted

Question: how does my filter need to be modified to return only real users?

My whole code:

string DomainPath = "LDAP://DC=writers,DC=local";
DirectoryEntry searchRoot = new DirectoryEntry(DomainPath);
DirectorySearcher search = new DirectorySearcher(searchRoot);
search.Filter = "(&(objectClass=user)(objectCategory=person))";
search.PropertiesToLoad.Add("samaccountname");

SearchResult result;

SearchResultCollection resultCol = search.FindAll();

if (resultCol != null)
{
    for (int counter = 0; counter < resultCol.Count; counter++)
    {
        result = resultCol[counter];

        if (result.Properties.Contains("samaccountname"))
        {
            Console.WriteLine((String)result.Properties["samaccountname"][0]);
        }
    }
}
marsh-wiggle
  • 2,508
  • 3
  • 35
  • 52
  • Try this filter - `(&(objectCategory=person)(objectClass=user)(SAMAccountName=*)(!(homeMDB=*NonUser*)))` – Prany Jul 04 '18 at 16:39
  • 1
    Just noticed one typo in above, use `sAMAccountName` instead of `SAMAccountName`. Also try by LDAP - `(&(objectCategory=person)(objectClass=user)(sAMAccountName=*)(!(cn=*O*)))` – Prany Jul 04 '18 at 16:50
  • I think it is CN only and it is different from distinguishedName – Prany Jul 04 '18 at 17:12

1 Answers1

3

Try below using LDAP

 (&(objectCategory=person)(objectClass=user)(sAMAccountName=*)(!(cn=*O*)))

Just for info - CN is Common Name. You can get more info on LDAP here

You also asked me with what property can you retrieve cn. Here you can extract by this code snippet ( for double check). But as far as I know it is CN only 

 foreach (string property in result.Properties.PropertyNames)
{
      foreach (Object propertyValue in result.Properties[property])
     {
        // print out the Property Value here
      }
}
Prany
  • 2,078
  • 2
  • 13
  • 31
  • sorry prany, does not work. It only removes common names with an "O"; also wanted names like "thomas" – marsh-wiggle Jul 04 '18 at 17:45
  • @boboes - There must be a domain name, right ? so you can filter by `(&(objectCategory=person)(objectClass=user)(sAMAccountName=*)(mail = *@Yourdomain.com))` – Prany Jul 04 '18 at 17:51
  • HealthMailboxfbff1f1a718e4874917d7e39076275bd@writers.local – marsh-wiggle Jul 04 '18 at 17:56
  • @boboes - Is this the output ? – Prany Jul 04 '18 at 17:58
  • infact the users I don't want seem to be real users without any differences and I have to accept them when an exchange server is installed. – marsh-wiggle Jul 04 '18 at 17:59
  • Give it a try on this one - `&(objectClass=user)(cn=" + username + ");` – Prany Jul 04 '18 at 18:10
  • 1
    @boboes: If your admin has created those mailboxes as real users, there is no way to tell the difference in the AD. I recommend trying the AD Explorer created way back by Mark Russinovich to see if you can find any properties that you can use to distinguish the two types of users: https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer – Jakob Christensen Jul 06 '18 at 06:32